1
donuts
6y

How do the mobile offers in games like "get 1000 Gems if you ... in some other app" able to verify that you actually did that?

Comments
  • 2
    Possibly (hidden?) Google play store achievements?

    Maybe polling the target games' servers? They are "strategic partnerships" (aka selling customers) afterall, so companies setting up APIs for each other to hit isn't absurd.
  • 1
    @Root hm Google Play possibly... just wondering how do they make it cheat proof.

    I'm thinking you could make a modified app that "looks like" the real one and it just sends the other say "task done"
  • 1
    @Root yes but how to identify that the player is the same player though although I think i may know... android installs usually have a unique ID although there are ways to spoof it too...
  • 2
    @billgates I very much doubt the devs get to spend much time hardening it.

    And yes. Unique Android ID plus whatever third-party account you sign into the game with, such as Facebook. That's a best-effort to identify the user.
  • 1
    If they don't do any extra validation, and just simply trust the reply from the other games' server, I figure you could just route the request through a proxy like burp suite or owasp zap
  • 1
    Most are just the fact you clicked the link. watched the add, bam instead reward.

    However some go to the effort of setting up APis to receive conformations and their app just polls until it receives the confirmation.
  • 0
    @C0D4 well not ads. It's like if youinstall another game, get to level 10, will give you 2000 gems which would normally cost $20.
  • 3
    @billgates yea those ones are generally going to be APi driven, so when you sign up to the second app it would have identified you somehow as coming from the first app and fire a message out when you reach that goal.

    First app then spots the confirmation on its servers and rewards you.

    Otherwise if the apps are owned by the same Company they probably have a shared server for rewards in games and all apps and query for them.
  • 1
    @billgates the ad provider has apis for that usually
Add Comment